Securing WordPress from the Start

WordPress security is an important element of owning a WordPress site and something you need to consider when creating a new WordPress site. In this post, we cover a few methods for securing WordPress from the start, and additional steps you can take to keep your existing WordPress site secure.

Secure WordPress by Installing WordPress Manually

Many hosting companies offer a one-click installation option for WordPress site. Although using a one-click install can make the process simpler and a little quicker, for the purposes of securing WordPress, it’s usually best to install WordPress manually.

1. Create a New Database

If you haven’t already done so, you will need to create a database for your WordPress site. You can create a new database through your host’s cPanel or dashboard, using the MySQL database wizard. Each host typically has its own setup, but usually allows you to create your database user, password and database all on one screen.

For example, here’s a screenshot of setting up a new database using the MySQL Database wizard.

Use a strong password.

Just be sure when you create your password for your database user that you create a strong password. Most hosts will provide you with the option to generate a password.

2. Download the WordPress Software

To get started with the WordPress installation, you can download the WordPress software from WordPress.org.

3. Change WordPress Salts & Security Keys

Once you’ve downloaded WordPress, unzip the file you downloaded and find the wp-config-sample.php file. Open it using a text editor. In this file, you’ll enter all of your new database credentials.

More Steps for Securing WordPress

These steps cover how to secure WordPress from the start,but there are more steps you can take to secure your site once it is up and running. Taking these further WordPress security steps will help keep your new website secure.

Enable Two-Factor Authentication

WordPress Two Factor Authentication adds an important extra layer of protection to your WordPress site’s login and admin area by requiring 1) a password and 2) a secondary time-sensitive code to login.

While it may seem like a hassle at first, using two-factor authentication greatly reduces the risk of WordPress brute force attacks and helps to make sure your admin login credentials are only used by you.

Activate WordPress Brute Force Protection

With the iThemes Security plugin, you can add WordPress Brute Force Protection. WordPress Brute force attacks occur when someone (or a bot) repeatedly tries multiple username and password combinations until they are able to gain access to your site. By default, there is no option in WordPress to block a user or an IP address after a set number of login attempts. Users can try as many times as needed until they get logged in.

The WordPress Brute Force Protection setting in iThemes Security allows you to determine how many attempts specific hosts and users are given before they are blocked and how long they are banned from accessing the site. You can also automatically block any user who attempts to log in using the admin username.

Lock Down WordPress with Away Mode

Another feature to help with securing WordPress is the Away Mode feature in the iThemes Security plugin.

It’s unlikely that you are working on your WorPress website 24 hours a day. Most likely, there is a certain time period you typically work in. Maybe you’re a freelancer who works another job during the day and works on your site in the evenings.

The Away Mode setting allows you to lock down WordPress by limiting access to the WordPress dashboard so that it is only accessible during a specified interval. This means that no one, no matter their intentions, can log into the backend of your site during that set time period.

The Importance of WordPress Backups

Another important component of your WordPress Security strategy to consider is using a WordPress backup plugin, like BackupBuddy. Plugins such as BackupBuddy are vitally important for those times when, despite your best efforts, your site is hacked.

Enable WordPress Backup Schedules

With BackupBuddy, you can create backup schedules, both of the full site and just your WordPress database. This means that if your site is hacked, you will be able to restore your site to a state before the hack.

You can set automatic WordPress backup schedules to whatever intervals you prefer, but we recommend creating a backup schedule that creates a full site backup monthly and a database backup weekly.

If your site is more active and you are constantly adding new content, a weekly full site backup and a daily database backup might be a better schedule for you. You can also you Stash Live, a feature in BackupBuddy 7.0+, for real-time WordPress backups.

Store WordPress Backups Securely Offsite

When you create your schedules, you also have the option of sending your backup files to an offsite location.

Storing your backups offsite is an excellent security measure in case it is your server, not just your site, that is hacked. If your backup files are stored in an offsite destination such as BackupBuddy Stash or Google Drive, even if your server is attacked or goes down, you will have access to a backup file that you can restore your site with.

More Tips on Securing WordPress

WordPress security can be overwhelming, but there are simple, actionable steps you can take to start using WordPress security best practices. Check out more WordPress security tips in our free ebook: WordPress Security: A Pocket Guide.

Respond

Join the conversation via an occasional emailGet only replies to your comment, the best of the rest, as well as a daily recap of all comments on this post. No more than a few emails daily, which you can reply to/unsubscribe from directly from your inbox.